The code uses a AES256-CTR, with a much more efficient construction than CTR-DBRG. The construction is the same one used in libottery, libottery-lite, and the BSDs' replacements for arc4random() -- except that it uses AES instead of ChaCha. I'm using AES here because performance matters most here on relays, and relays all ought to have cpu support for AES.

Performance here is much better than the alternatives, even with openssl 1.1.1a: